mobile security - carnegie mellon...

©2015 Patrick Tague 1

Mobile SecurityFall 2015

Patrick Tague

#6: More WiFi Security; WiFi Privacy Issues


Class #6• WiFi vulnerabilities (continued from class #5)

• WiFi information leakage

• Misusing WiFi permissions

• Discussion of next project deliverables (time permitting)


A Quick Warning• For students at the SV campus, there will be a

mandatory evacuation drill today that may or may not happen during today's class– If the alarms sound, please leave the classroom

immediately, quickly go outside, and follow everyone else to the anchor statue in the green space in front of B23

• I'll stop class.

– When the drill ends, pleasereturn very quickly.

• I'll restart class as soon as peopleshow up.


More WiFi Security


A Scenario

Open APSSID “Network X”

Open APSSID “Attacker”

Laptop w/ policy toConnect to any open AP

Internet

Laptop

Open APSSID “Network X”

Laptop w/ policy toConnect to “Network X”


Another Scenario

Enterprise APSSID “Company WiFi”

Personal APSSID “My WiFi”

Laptop w/ policy toConnect to “My WiFi”

Intranet Internet

Laptop w/ policy toConnect to “Company WiFi”


Rogue Access Points• What is a Rogue AP?– It depends on who you ask...

– Any unauthorized AP that either attracts users for malicious purposes or offers network connectivity that should not be offered


Attacks in Public• Rogue APs deployed in public areas– Attract users to access/control/block session traffic

– Recovery of user credentials (user/password, etc.)– Denial / degradation of service– Bypassing additional security features


Attacks in Enterprise• Rogue APs in enterprise networks:– Employee: attach to corporate network for convenience

• Free internet access for you and your friends (what could go wrong?)

• Creating an accidental corporate back-door

• Assume all liability for malicious actions

– Attacker: maliciously attract company employees• Data leakage

• Corporate espionage


How to Create a Rogue AP• Set up an AP (e.g., using Airsnarf), either with a

competing or colliding SSID and configuration

• Create or modify a captive portal to redirect users to a splash page, if needed

• Visit target site or use signal amplifier, directional antenna, etc.

• Steal credentials, DoS, MitM, etc.


Detection• If the corporate policy is “no WiFi”, any WiFi signal

can raise an alert

• Duplicate SSIDs

• Changed or mismatching MAC addresses

• Changed or mismatching SNR values

• Unexpected association requests or other behaviors

• Matching wireless traffic for non-corporate SSID with traffic seen inside the corporate network


Defense• 802.11i with 802.1x– Strong link level authentication can protect against Rogue

APs targeting unsuspecting users

• What about public networks?

• What about Rogue APs set up by employees?


Does 802.11i have other vulnerabilities?


Some Background• WPA2 users two types of encryption keys, the

Pairwise Transient Key (PTK) and the Group Temporal Key (GTK)

Image from AirTight Networks whitepaper


Hole196• Malicious insider can misuse the GTK– Ex: ARP poisoning using the GTK allows the insider to

advertise itself as the gateway– Ex: DoS using GTK sequence number preemption

Image from AirTight Networks whitepaper

• Discovered by Ahmad et al. at AirTight Security– “Hole196” is named for the

page number where the vulnerability is buried in the IEEE 802.11 v2007 std.

– Implementation independent


Hole196 Patches• Client isolation– Non-standardized approach to logically separate clients

• Don't use the GTK– Trade encrypted broadcast for multiple encrypted unicast

• WIPS


What about WiFi hotspots?


Hotspots

Access Network Internet

Web browser issues HTTP/GET

Device APPublic AC Server,

HTTP ProxyCredit Card

Server

TLS transaction providing credit cardinfo to public access control server

Internet Access

HTTP/REDIRECT tosecure login page

E-commerce transaction toapprove credit card purchase

Display successful login page


Hotspot Security• How to bootstrap security?

• What about rogue hotspot APs?

• Left as an exercise for you to read about


What about the WiFi PHY & MAC layers?


PHY/MAC Vulnerabilities

• Structure of WiFi MAC allows for targeted jamming, cheating, and general misbehavior

• If you're interested, take 14814/18637 in S16

S1R1

S2

time

DIFSData

ACKSIFS

NAV

Back-off

RTSSIFS

SIFS

DIFS

CTS

Data

ACKSIFS

Back-off

R2


Privacy Issues


WiFi Probing• WiFi devices need to find available networks in

order to connect to them. A few different ways:– Passive scan – listen for beacon messages from APs– Active scan

• Direct probe – query for AP with previously known SSID

• Broadcast probe – query for AP with wildcard SSID

• Comparison:– Passive scan is very slow because it waits around for a

while on every channel– Broadcast probe is faster but still listens on every ch– Direct probe is very fast, multiplied by #known APs


Mobile vs. Nomadic• WiFi was really designed for nomadic devices– Laptops: move wake use sleep move …→ → → → →– WiFi probing happens between “wake” and “use”,

probably only once per mobility cycle

• Mobile devices aren't nomadic– Smartphones: use while moving all the time, continue

using while not moving– WiFi probing happens whenever your mobile is looking for

WiFi networks to connect to• Since they're optimized for performance, this is quite often


The Risk of the SSID Set• Whenever a mobile device blasts out probe

messages, we can learn its relevant SSID set

• So, what's the big deal?

CMU-SV

Peets

SJCWiFi

monkeys

Univ WA

PersonalProfiling Tracking

@ (x,y,t)

@ (x',y',t')

CMU-SV

SCUWireless

Starbucks

monkeys

Univ WA

SocialRelationships

CMU-SV

Peets

SJCWiFi

monkeys

Univ WA


Potential Fixes• Since many threats are based on MAC-SSID pairs,

MAC pseudonymy can help– Implies there's a trusted third party to handle

pseudonyms, requires pre-existing relationship

• MAC or SSID info can be encrypted– Requires computation or search on mobile and/or AP to

discover which keys should be used to decrypt, requires pre-existing relationship

• Don't use direct probing– Slow


A Better Fix• How to prevent SSID/history leakage without

sacrificing performance?

• Limit SSID probes using readily available context– Location!

• In addition to storing the SSID/MAC, store the lat/long coordinates– Only send probe messages for known SSIDs within a

reasonable distance (~1km?) of the device


Location-Aided Probing(LAPWiN)


Minimizing SSID Leakage


Kitchen: 154 users and 266 unique SSIDs

Office: 423 users and 445 unique SSIDs

Coffee shop: 182 users and 279 unique SSIDs


What about information leakage within the mobile phone?


Internal Information Leakage• Malware can access and

exfiltrate data without detection by common tools

• How to bypass TaintDroid:

s

if location == “Atlantic City” untainted_location = “AC”end

send(location)// flagged

send(untainted_location)// NOT flagged


More SSID Sets• Unlike sniffing your “favorite” SSIDs, app with the

ACCESS_WIFI_STATE permission can see the SSIDs of WiFi networks nearby, regardless of connection– This means the app can build a time-stamped list of the

networks you are/were near

Why is this a big deal?


WiFi Data


Implicit Location Inference


Can we defend against this type of internal context leakage?

I don't know...


Questions?


Next Project Deliverables• Statement of Work – a detailed, properly scoped list

of tasks to be achieved by the end of the semester– Written SoW:

• Due October 15

• Max 2 pages in IEEE 2-column format

• Include nice illustrations/figures to show what your team is doing

– SoW Presentation:• In class October 13 and 15 (randomly ordered)

• Max 8 minutes per team

• 1-slide template provided (can add 2-3 more if needed)

• Hopefully, this is ready long before the deadline...


Oct 1:Tutorial II: Android Analysis Tools

Oct 6:Personal Area Networks

mobile security - carnegie mellon...

Documents